Page 1 of 1


Posted: 15 Jan 2015 04:25
by Michaelv
Hi All,

Just to make some users aware.
if you check your Reports -> Spamassassin Rule Hits.

If you see that is affecting a lot of your emails (based on the count vs the total emails). For me during testing, it was 99% of emails hit this rule.

This means that you are using your ISP or some public DNS servers like Google(

The reason is that these DNS is doing too much lookups to those RBL DNS. These RBL DNS blocks request above a certain number of queries per IP unless you are a paid subscriber.

To avoid that, ideally you should have your DNS recursor that does direct queries to these RBL DNS. This allows these RBL DNS to only see your recursor IP and not mix with hundreds of other anti-spam servers requests.

For me, I disabled the dnsmasq and installed unbound recursor within the same vm.
Unbound is nice because you can specify the amount of memory to use for dns cache and its own memory footprint is small which is important if you have a memory limit.
named has a fixed memory limit but its own code is bloated and uses memory. Powerdns recursor cache size is based on number of entries which is a bit tricky to manage memory utilisation.




Posted: 16 Apr 2015 06:59
by darky83
Made the post sticky as it seems more and more users are running in to this issue.


Posted: 16 Apr 2015 09:04
by pdwalker
linked to the wiki


Posted: 22 Apr 2015 21:19
by Mcoulianos
Can we get more of an explanation on this? I'm getting a ton of delayed emails coming from google mail servers ever since the update and as soon as I whitelist an address the delays stop so its definitely something in E.F.A. causing them. Not seeing anything on the wiki regarding this.


Posted: 23 Apr 2015 00:35
by pdwalker
Delayed mail <> URIBL_BLOCKED

Your issue is different, if I'm understanding what you've said correctly. Your issue sounds like you don't like grey listing.


Posted: 17 May 2015 19:18
by thebjorn
Ok, so I've followed the instructions at ... os-redhat/ to install a caching nameserver on the efa box. I've also updated the primary dns under option 4 -> 4 of the EFA config program. I'm still getting the error.

When I try the command listed to test the setup I get

Code: Select all

[root@efa3 MailScanner]# host -tTXT descriptive text " -> Query Refused. See for more information [Your DNS IP:]" is apparently a google ip, but I have no idea where it is coming from..?

I've restarted the named service, do I need to reboot the entire system? (or am I going in the entirely wrong direction?)


Posted: 17 May 2015 19:39
by thebjorn
I knew I'd find the solution as soon as I posted the question ;-) Based on the bug report ( I ended up at a commit ( ... f3e78c018d) where I noticed that dnsmasq is a service... A quick

Code: Select all

service dnsmasq restart
and it is working from the command line

Code: Select all

[root@efa3 MailScanner]# host -tTXT descriptive text "permanent testpoint"
.. and the errors are gone -- yay :-)


Posted: 18 May 2015 02:57
by shawniverson
The next update will fix this permanently for users affected.


Posted: 02 Jun 2015 14:16
by thebjorn
After my success message above, I got a message from gmail saying:

<>: mail for [] loops back to myself

so obviously something wasn't correctly configured. I forget what I did to get it working again, but during the upgrade this problem popped up again - after the kernel update and preventing the EFA-Update from working (something like "downloaded version file is corrupt" - I forgot to take a copy of the message).

I uninstalled (yum remove) bind and bind-chroot, reset the DNS to our domain controller, rebooted, and was able to run EFA-Update. Mail is again flowing, but I'm still getting

0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See ... nsbl-block for more information.

Was this supposed to be fixed in the release?


Posted: 02 Jun 2015 14:54
by shawniverson
You will need to turn on full recursive DNS on your EFA appliance.

EFA-Configure --> 4) IP Settings -->4) DNS Recursion

Make sure your EFA can query DNS outbound on port 53.


Posted: 02 Jun 2015 15:47
by thebjorn
You're awsome! :clap:


Posted: 07 Dec 2017 10:49
by sxfx
I'm using DNS Recursion but i'm getting the block message. Any ideas?


Posted: 08 Dec 2017 07:41
by pdwalker
Verify your DNS settings.

Are you really recursing? or are you actually using someone else's DNS server to make the query on your behalf?

Are you using a shared IP?


Posted: 08 Dec 2017 13:37
by sxfx
Hello! Here some things:

[root@efa /]# cat /etc/resolv.conf

[root@efa /]# host -tTXT descriptive text "permanent testpoint"

I only see this message"ADMINISTRATOR NOTICE: The query to URIBL was blocked. See ... nsbl-block for more information." when i test my dkim against

This message is to they or for me?

Can you send a email test to (they will geive you a random mail to test)

And.. how I debug it on my box? /var/log/maillog show nothing. Thanks


Posted: 09 Dec 2017 00:39
by henk
As pdwalker stated
Verify your DNS settings. -What dns server do you use?
Could you list the content of
  • 1. /etc/unbound/unbound.conf
    2. /etc/unbound/conf.d/forwarders.conf
and list stats

Code: Select all

unbound-control stats_noreset |grep total 
Dig multiple times and check the query time. ( should be ;; Query time: 0 msec)

Code: Select all

dig @


Posted: 11 Dec 2017 15:14
by sxfx


[root@efa ~]# unbound-control stats_noreset |grep total



Posted: 11 Dec 2017 23:16
by henk
Hi sxfx,

Your config is the default config and seems to work fine. ( from your EFA machine viewpoint)

As your resolv.conf points to-> nameserver What is your DNS server to forward dns requests?

Since DNS queries are expected to come from verifiable IP addresses, and cannot be mapped to a public IP address, the query probably failed because the RBL / BRBL could not identify a public IP address.On top of that its generally limited to no more than 100K queries from ANY SINGLE DNS SERVER IP ADDRESS in a given day.( So try point to a LOCAL DNS SERVER, with a PUBLICALLY MAPABLE IP ADDRESS)

You could force a forwarding dns server in /etc/unbound/conf.d/forwarders.conf

Code: Select all

  name: "."
  forward-addr:      # Forward dns server IP
  forward-first: yes
Or take a look at viewtopic.php?t=2567


Posted: 19 Jul 2019 06:55
by Janvhirashe
I was facing the same problem, but know it has fixed. There is no problem know.